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NATO/AGARD  SYMPOSIUM  ON  SOFTWARE 
FOR  AVIONICS 

Software  for  avionics  was 
the  focus  of  the  fall  1982  AGARD 
Avionics  Panel  symposium  held  in 
Kijkduin,  the  Netherlands.  The 
subject  was  chosen  because  of  the 
problems  associated  with  the 
increasing  cost  and  complexity  of 
software  in  general  and  avionics 
software  in  particular. 

About  250  attendees  partici¬ 
pated  in  sessions  concerning 
requirements,  design,  develop¬ 
ment,  verification,  and  valida¬ 
tion  of  avionics  software.  The 
tecnnical  program  committee  was 
chaired  by  Max  Jacobsen  and  was 
made  up  of  members  from  the  US, 
the  UK,  Italy,  France,  and 
Germany. 

Although  a  few  papers 
concerned  research  results  and 
future  technology,  most  dealt 
with  the  practical  aspects  of 
avionics  software  development. 
As  a  result,  the  symposium  had 
the  character  of  a  practitioners' 
workshop.  Some  sessions  and 
related  conclusions  are  described 
in  this  report.  The  appendix 
contains  a  numerical  list  of 
program  speakers  and  the  titles 
of  their  presentations. 

Software  Technology  Tutorial 

The  first  session  was  a 
tutorial  on  the  current  state  of 
avionics  software  technology. 
The  principal  point  of  the  first 
paper,  presented  by  Dr.  Willis 
Ware  (Rand  Corp.),  was  that 
software  problems  are  developing 
faster  than  solutions.  To 
support  this  contention.  Ware 
noted  that  military  users  cannot 
state  requirements  precisely 
enough  for  software  designers; 
the  information  management 
problem  in  the  cockpit  is  getting 
more  difficult.  For  example, 
more  rapid  handling  of  more 
information  is  needed,  and 


aircraft  will  be  spending  longer 
periods  of  time  m  the  air  and  must 
become  more  reliable. 

Ware  observed  that  techniques 
for  alleviating  software  problems 
are  just  now  moving  from  the 
laboratories  into  the  development 
community.  He  stated  that  the  most 
promising  techniques  treat  software 
components  as  black  boxes. 

Other  presentations  in  the 
session  dealt  with  avionics  soft¬ 
ware  development  methodologies  and 
automated  aids  to  support  them. 
Discussions  included  the  methodo¬ 
logies  used  for  the  F-16,  the 
Tornado,  and  the  MINERVE;  exten¬ 
sions  to  the  MASCOT  methodology; 
and  the  AIGLE  system.  MASCOT  and 
MINERVE  are  standardized  methodo¬ 
logies  used  in  the  UK  and  France, 
respectively.  MASCOT  includes  a 
set  of  integrated  support  tools; 
AIGLE  is  a  set  of  integrated 
support  tools  now  under  development 
for  MINERVE. 

Requirements  Analysis 

The  papers  in  Session  2  seemed 
to  indicate  that  it  was  desirable 
for  a  requirements  specification  to 
be  complete,  formal,  and  unambig¬ 
uous,  and  to  answer  the  questions 
why  and  what  rather  than  how. 
Paper  8  used  these  criteria  to 
provide  a  quantitative  evaluation 
of  a  manually  created  requirements 
document.  Presentations  9,  10,  and 
11  dealt  with  automated  aids  for 
producing  requirements  with  such 
characteristics.  interesting  var¬ 
iations  on  the  theme  were  also 
included  m  the  session.  Paper  6 
discussed  pitfalls  in  the  require¬ 
ments  definition  process. 

One  could  conclude  from 
Session  2  that  good  requirements 
specifications  can  be  created 
manually,  but  that  automated  aids 
would  make  the  task  much  easier. 
People  using  such  aids  are  strug¬ 
gling  to  fit  them  into  the  usual 
software  development  methodologies 
but  consider  the  effort  worthwhile. 
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Software  Design  and  Development 
~  Much  ot  the  session  on 
design  and  development  was 
concerned  with  the  use  of  high 
order  languages  for  avionics. 
The  avionics  community  in  general 
has  lagged  in  the  use  of  such 
languages  and  is  now  attempting 
to  remedy  the  situation.  The 
following  questions  were  dis¬ 
cussed  during  the  session: 

1.  Should  we  wait  for  the 
advent  ot  Ada  production  com¬ 
pilers  before  switching  to  a  high 
order  language,  or  should  we 
adopt  some  other  language  for 
which  we  know  efficient  compilers 
can  be  developed? 

2.  How  do  we  solve  the 
problem  of  using  high  order 
languages  for  microprocessors 
when  a  new  generation  of  micro¬ 
processors  comes  along  every  2  to 
4  years  and  requires  a  new 
compiler? 

3.  Can  we  aftord  the 
overhead  of  using  abstractions 
built  into  standardized  methodo¬ 
logies  and  their  tools,  including 
high  level  languages  and  systems 
such  as  MASCOT? 

The  status  ot  the  Ada  effort 
(paper  13)  was  presented  by  a 
representative  of  the  Ada  Joint 
Program  Office. 

Because  of  doubts  about  the 
efficiency  of  Ada's  real-time 
capabilities,  the  possible 
training  problems,  and  the  costs 
associated  with  using  the  system 
and  its  environment,  several 
organizations  have  decided  to  use 
existing  languages.  For  example, 
the  French  language  LTR,  which 
has  been  a  standard  since  1974, 
is  now  being  upgraded  to  handle 
parallel  tasKs  (paper  14) . 

To  deal  with  microprocessor 
problems,  Messerschmitt-BOlkow- 
Blohm  GmbH  (MBB)  of  Germany  has 
developed  a  system  for  producing 
Pascal  compilers  for  micropro¬ 
cessors  (paper  16) .  A  common 
front  end  and  intermediate 


language  is  used  by  all  the  compi¬ 
lers,  requiring  only  the  develop¬ 
ment  of  a  new  code  generator  to 
produce  a  new  compiler  for  a  new 
microprocessor . 

Advantages  and  disadvantages 
of  using  the  MASCOT  system  were 
discussed  by  a  representative  of 
Ferranti  (paper  18) .  The  issue 
that  drew  the  most  attention  was  an 
estimate  of  a  35  to  40%  increase  in 
overhead  using  MASCOT. 

Verification  and  Validation 

Many  ot  the  papers  in  the 
verification  and  validation  session 
were  descriptions  of  detailed  test 
methodologies  and  associated  auto¬ 
mated  tools.  Issues  discussed 
included  how  to  manage  the  testing 
process,  who  should  do  the  testing, 
and  what  are  good  measures  of  test 
coverage.  There  was  agreement  that 
a  strictly  disciplined  approach  to 
testing  is  needed.  Many  organiza¬ 
tions  are  using  similar  approaches 
tor  achieving  such  discipline, 
including  developing  support  tools 
to  generate  tests  and  to  measure 
the  testing  process  (e.g.,  to 
report  on  test  coverage  for  each 
program  being  checked) . 

Other  interesting  papers  on 
verification  were  included  in  the 
session.  One  discussed  using 
dissimilar  software  to  achieve  high 
integrity  systems  (paper  34) .  In 
other  words ,  two  or  more  indepen¬ 
dently  developed  software  compo¬ 
nents  that  have  the  same  specifi¬ 
cation  are  used  to  perform  a  task. 
If  all  produce  the  same  result,  the 
probability  is  high  that  the  result 
is  correct.  It  one  or  more  dis¬ 
agree,  a  vote  may  be  taken  to 
determine  the  correct  result.  As 
the  number  of  dissimilar  systems 
used  is  increased,  the  number  of 
errors  that  each  may  contain — while 
still  providing  the  correct  re¬ 
sult— also  increases.  Conse¬ 
quently,  no  individual  component 
requires  extensive  verification. 

Paper  30  described  a  state- 


of-the-art,  semiautomated,  pro¬ 
gram  verification  system.  The 
system  is  toeing  used  experimen¬ 
tally  to  verity  microprograms 
used  to  control  computers.  Ver¬ 
ification  requires  as  input  a 
formal  description  of  the  machine 
emulated  by  the  microcode,  a 
formal  description  of  the  seman¬ 
tics  of  the  micromachine  on  which 
the  microcode  executes,  and  the 
microcode  itself.  In  addition,  a 
"rationale"  for  the  microcode  is 
submitted  by  the  programmer. 

A  symbolic  execution  scheme 
is  used,  and  about  1,000  microin¬ 
structions  per  hour  can  be 
verified.  The  developers  believe 
the  rate  can  be  increased  to 
approximately  2,000  microinstruc¬ 
tions  per  minute. 

Conclusions 

— . _ ^The  avionics  community  is 

struggling  to  automate  its  work. 
Different  methodologies  are  being 


used  to  impose  discipline  on 
avionics  software  development,  and 
the  methodology  developers  are  now 
attempting  to  provide  as  much 
automated  support  as  possible. 
Support  tools  such  as  requirement 
specification  systems,  high  level 
language  compilers,  data-base 
systems,  test  languages,  and  other 
test  tools  are  all  being  slowly 
integrated  into  the  software 
development  process.  The  situation 
can  be  contrasted  with  that  10 
years  ago,  when  software  developers 
were  thinking  about  what  method¬ 
ology  to  use. 

Perhaps  most  ignored  during 
the  symposium  were  techniques  for 
design — as  opposed  to  techniques 
for  managing  development.  The 
criteria  used  to  organize  and 
document  a  design  are  the  basic 
problems  in  producing  systems  that 
are  maintainable  over  long  periods 
of  time. 


APPENDIX: 


SESSIONS  AND  SPEAKERS 

Session  Is  Software  (S/W)  Technology  (Tutorial) — Chairman, 
Dr.  A. A.  Callaway  (UK) 

1.  Avionic  Software:  Where  Are  We 

Dr.  W.  Ware,  Rand  Corp. ,  Santa  Monica,  CA 

2.  Avionics  Software  Design 

Dr.  D.E.  Sundstrom,  General  Dynamics,  Fort 
Worth ,  TX 

3.  S/W  Development:  Design  and  Reality 

Dr.  H.  Groote,  Dr.  Schwegler,  MBB,  Mttnchen, 
Germany 

4.  MASCOT  Developments  to  Improve  Software 
Structure  and  Integrity 

Dr.  H.R.  Simpson,  British  Aerospace  PLC, 
Dynamics  Group,  Stevenage,  UK 

5.  Vers  un  Veritable  Atelier  de  Logiciel  Avionique 

J.  Perin,  Electronique  Marcel  Dassault, 

St.  Cloud,  France 

Session  2:  Software  and  System  Requirement  Analysis — 
Chairman,  Dr.  Ing.  L.  Crovella  (Italy) 

6.  Requirements  Decomposition  and  Other  Myths 

B.  Malcolm,  T.  Swann,  B.  Hauxwell,  D.  Jordan, 
Marconi  Avionic  Systems  Ltd.,  UK 

7.  Practical  Considerations  in  the  Introduction  of 
Requirement  Analysis  Techniques 

C. P.  Price,  D.Y.  Forsyth,  British 
Aerospace  PLC,  Warton,.  Preston,  UK 

8.  Evaluation  ot  the  A-7  Software  Requirements 
Document  by  Analysis  of  Changes:  Three  Years  of 
Data 

D. M.  Weiss,  L.  Chmura,  U.S.  Naval  Research 
Laboratory,  Washington,  D.C. 

9.  D.L.A.O. :  Un  Systeme  d'Aide  a  ia  Definition  de 
Logiciel  Avioniques 

S.  Chenut/Martin,  Ing.  F.  Doladiile, 
Electronique  Marcel  Dassault,  St.  Cloud, 

France 

10.  The  Mentor  Approach  to  Systems  Development 

D.  Jordan,  B.  Hauxwell,  Marconi  Avionic 
Systems  Ltd. ,  UK 

11.  The  Computer  Aided  System  Specification  Easy 

N.  Christensen,  L.  Hirschmann,  Mat.  Beratungs- 
und  Programmierdienst ,  Dortmund,  Germany 

Session  3:  Software  Design  and  Development  Process — 
Chairman,  B.  Mirailles  (France) 

12.  The  Impacts  of  Standardization  on  Avionic 
Software 

Dr.  J.D.  Engelland,  G.R.  England,  General 
Dynamics  Div. ,  Fort  Worth,  TX 


4 


Session 


ij.  Ada  Status  and  Outlook 

L/Cdr.  J.F.  Kramer,  Ada  Joint  Program  Office, 
Arlington,  VA 

14.  Standardisation  du  LTP.  Pour  Calculateurs 
Embarques — le  Present  et  ie  Futur 

ICA  de  Montcheuil,  Direction  Technique  des 
Engms,  Paris-Armees,  France 

15.  Use  of  High  Order  Language  for  OFP  Programming 
With  Emphasis  on  the  Use  of  Ada 

Dr.  R.  Pendleton,  Dr.  J.J.  Zenor,  Naval 
Weapons  Center,  China  Lake,  CA 

16.  An  Approach  to  a  Portable  Pascal  Language  for 
Different  Onboard  Computer  Systems 

Dr.  W.  Wiemer,  Mr.  Reitz,  MBB,  Mtlnchen, 

Germany 

17.  Use  of  High  Order  Languages  on  Micro-Processors 

R.M.  Boardman,  Marconi  Avionic  Systems  Ltd., 

UK 

18.  Software  Design  and  Development  Using  MASCOT 

R.  Dibble,  G.  Cram,  D.  Milledge, 

Ferranti  Computer  Systems  Ltd. ,  UK 

19.  Safety  Critical  Fast-Real-Time  Systems 

Dr.  B.  Gusmann,  O.F.  Nielsen,  R.  Hansen,  MBB, 
Mtlnchen,  Germany 

20.  Usability  of  Military  Standards  for  the 
Maintenance  of  Embedded  Computer  Software 

Prof.  N.  Schneidewind,  Naval  Postgraduate 
School,  Monterey,  CA 

21.  Software  Configuration  Management  at  Work 

Jan  T.  Pedersen,  A/S  Kongsberg 
VSpenfabrikk,  Norway 

22.  Configuration  Management  and  the  Ada  Programming 
Support  Environment 

Cht.  Eng.  K.  Pul ford,  Marconi  Avionic  Systems 
Ltd . ,  UK 

23.  Practical  Software  Fault  Tolerance  for  Real-Time 
Systems 

Dr.  John  Knight,  Dr.  T.  Anderson,  Department 
of  Applied  Mathematics  and  Computer  Science, 
Univ.  of  Virginia 

24.  Electronic  Warfare  Software 

R.  Shaw  (AFWAL/AAWP)  ,  Wnght-Patterson 
AFB,  OH 

4:  Software  Verification  and  Validation — Chairman, 
R.O.  Mitchell  (US) 

25.  An  Eight  Point  Testing  Strategy  tor  Real-Time 
Software 

R.  Wilson,  N.  Higson,  Marconi  Avionic  Systems 
Ltd . ,  UK 

26.  Tornado  Flight  Control  Software  Validation: 
Methodology  and  Tools 

Dr.  Ing.  R.  Pelissero,  AERITALIA,  Gruppo 
Equipagg l ament i ,  Torino,  Italy 
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Session 


27.  Applications  of  Network  Logic  Modeling  and 
Analysis  to  System  Validation  and  Verification 

Mr.  G.  Sundberg,  Tracor,  Inc.,  Warminister,  PA 

28.  Software  Test  Language  and  Related  Tools 

Eng.  P.  Taillibert,  G.  Lamarche,  Electronique 
Marcel  Dassault,  St.  Cloud,  France 

29.  Software  Verification  of  a  Civil  Avionic  AHP 
System 

Dr.  M.  Kleinschmidt ,  Dr.  N.  Sandner,  Litton 
Technische  Werke  der  Hellige  GmbH  (LITEF) , 
Freiburg ,  Germany 

30.  Progress  in  Verification  of  Microprograms 

Dr.  S.D.  Crocker,  The  Aerospace  Corporation, 
Los  Angeles,  CA 

31.  Validation  of  Software  for  Missile  to  Aircraft 
integration 

J.R.  McManis,  Naval  Weapons  Center,  China 
Lake ,  CA 

32.  Implementing  High  Quality  Software 

E.  Dowling,  Ferranti  Computer  Systems 
Ltd . ,  Gwent ,  UK 

33.  La  Qualite  Des  Logiciels  Avioniques —  Specif ica- 
tion  et  Evaluation 

Prof.  M.  Galinier,  G.  Germain,  IGL,  Paris, 
France 

34.  Dissimilar  Software  in  High  Integrity 
Applications 

Dr.  D.d.  Martin,  Marconi,  UK 

35.  The  Cost  of  Software  Fault  Tolerance 

G.E.  Migneault ,  AESB/FED,  US 

5:  Software  Life  Cycle  Considerations — Chairman, 

Dr.  H.  Hessel  (Germany) 

36.  Management  of  Large  Real-Time  Military  Avionics 
Software  Programs 

Dr.  P.J.  Carrington,  R.M.  Gisbey,  K.r.J. 
Manning,  Marconi  Avionics,  Rochester,  Kent,  UK 

37.  F/A-18  Avionics  Software— A  Case  Study 

T.v.  McTigue,  McDonnell  Aircraft,  St.  Louis, 

MO 

38.  A  Life  Cycle  Model  tor  Avionic  Systems 

Wis.  Dir.  Dipl.  Ing.  Schaff,  Bundesakademie 
fttr  Wehrverwaltung,  und  Wehrtechnik,  Mannheim, 
Germany 

39.  Avionics  Software  Support  Cost  Model 

D.V.  Ferens  (AFWAL) ,  Wright-Patterson  AFB, 

OH  (presented  by  K.  Shaw) 

40.  A  Software-Cost  Data  Base  tor  Aerospace  Software 
Development 

G.J.  Dekker,  National  Aerospace  Research 
Laboratory,  Amsterdam,  Netherlands 
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41.  The  Military  User  View  ot  Software  Support 
Throughout  the  In-service  Life  of  Avionics 
Systems 

Wg.  Cdr.  S.  Barker,  RAF;  Sqn.  Ldr.  B. 
Rambling,  RAF;  London,  UK 

42.  Design  of  a  Software  Maintenance  Facility  tor 
the  RAF 

J.  Whalley,  T.H.  Scott-Wilson,  British 
Aerospace  PLC,  Stockport,  Cheshire,  UK 

43.  A  Software  Engineering  Environment  for  Weapon 
System  Software 

H.G.  Stuebing,  Software  and  Computer 
Directorate,  US  Naval  Air  Development  Center, 
Warminster,  PA 

44.  On  Aircraft  Software  for  First  Line  Maintenance 

Dr.  H.  Klenk,  MBB,  Mtlnchen,  Germany 


